Google’s new buggy microblogging Web app aims to educate

Web applications are susceptible to a wide range of Web app-specific security flaws. Though Web developers are often aware of at least some of the common modes of attack, they are many and varied, and problems such as cross-site scripting continue to causeproblems.

To help address this issue, Google has published a new microblogging application, Jarlsberg, that's just chock full of bugs. Along with Jarlsberg comes a series of exercises designed to teach people what the different flaws are, how to find them, and how to fix them. The tutorials use both black-box techniques, where attackers treat the application as a black box with no knowledge of its source or internals, and white-box techniques, where attackers know everything about the system.

The exercises are informative and seem to be put together well. They introduce the different kinds of flaws and show off the range of ways in which each flaw can be exploited. With each flaw there are hints of where to look to figure out each problem, and a description of how to fix the problem. Many of the fixes themselves have additional flaws, which the tutorial also identifies. This reflects the unfortunate situation that many fixes that developers use are incomplete, and can themselves be circumvented.

The Jarlsberg code is offered under a Creative Commons license for use in other training exercises by computer scientists, software engineers, and developers. This kind of training is immensely valuable, even for developers with an understanding of the issues—a lot of Web application attacks are quite nuanced, with each class of attack having multiple vectors. In an ideal world, no one would even publish a Web application without having gone through these exercises—or training like them—first.